HIPAA Settlement Highlights Importance of Mobile Device Encryption

HIPAA Privacy & Security
Published On: July 31st, 20202.8 min read

Lifespan Health System Pays $1.04 Million for Unencrypted Laptop Breach: A HIPAA Compliance Warning

The Costly Consequences of Inadequate Data Protection

Lifespan Health System Affiliated Covered Entity (Lifespan ACE), a nonprofit health system based in Rhode Island, has agreed to pay the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services .04 million and implement a comprehensive corrective action plan. The settlement resolves potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules stemming from the theft of an unencrypted laptop containing sensitive patient information.

Understanding the Breach and Its Impact

On April 21, 2017, Lifespan Corporation—the parent company and business associate of Lifespan ACE—filed a breach report with OCR concerning the theft of an affiliated hospital employee’s laptop. The device contained unencrypted electronic protected health information (ePHI) including patients’ names, medical record numbers, demographic information, and medication details. The breach compromised the protected health information of 20,431 individuals, highlighting the vulnerability of unencrypted mobile devices in healthcare settings.

Systemic HIPAA Noncompliance Uncovered

OCR’s investigation revealed serious systemic failures in Lifespan ACE’s HIPAA compliance program. Despite conducting a risk assessment that determined encryption was both reasonable and appropriate for protecting ePHI on laptops, the organization failed to implement this critical safeguard. According to the HHS Office for Civil Rights, recent proposed changes to the HIPAA Security Rule would require encryption of ePHI at rest and in transit with limited exceptions (HHS, 2024), reflecting the increasing importance of this security measure. Investigators also discovered inadequate device and media controls and the absence of a required business associate agreement with Lifespan Corporation.

The Growing Threat Landscape

The financial impact of healthcare data breaches continues to escalate. Healthcare breaches cost an average of $7.42 million per incident in 2025, making it the costliest industry for data breaches for 14 consecutive years (Sprinto, 2025). The threat is accelerating rapidly—725 large healthcare data breaches were reported in 2024, exposing more than 275 million records, representing 82% of the U.S. population (HIPAA Journal, 2025).

“Laptops, cellphones, and other mobile devices are stolen every day—that’s the hard reality,” said Roger Severino, OCR Director at the time of the settlement. “Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves.”

Mandatory Corrective Action and Ongoing Monitoring

Beyond the substantial financial penalty, Lifespan has committed to a corrective action plan that includes two years of monitoring by OCR. This oversight ensures the organization implements proper encryption protocols, establishes comprehensive device and media controls, and maintains appropriate business associate agreements. Since a 2021 amendment to the HITECH Act, HHS’s Office for Civil Rights has discretion to refrain from enforcing penalties when covered entities can demonstrate at least twelve months of HIPAA compliance with a recognized security framework (HIPAA Journal, 2025), making proactive compliance increasingly valuable.

Protecting Your Organization from Similar Violations

The Lifespan settlement serves as a critical reminder that data breaches can result in fines of up to $1.5 million per violation (Actifile, 2025). Healthcare organizations must prioritize encryption as a fundamental security safeguard, implement robust device management policies, ensure all business associate agreements are properly executed, and conduct regular risk assessments with documented follow-through on security recommendations.

Evolve e-Learning Solutions offers comprehensive HIPAA compliance training that helps healthcare organizations understand their obligations under federal privacy and security regulations. Our courses cover encryption requirements, business associate relationships, breach notification procedures, and the technical safeguards necessary to protect patient information in today’s threat landscape.

Share this article

Follow us

A quick overview of the topics covered in this article.

Contact us

Contact us today to learn how Evolve e-Learning can support your team.

Latest articles

Related Posts

2026 HIPAA Security Rule updates and what to expect.
January 2nd, 2026Compliance News & Regulatory Updates, HIPAA Privacy & Security
2026 HIPAA Cybersecurity: “Proposed” Rule Updates & Changes You Should Start Preparing for Now
Continue Reading
April 9th, 2025HIPAA Privacy & Security
Online HIPAA Training: Privacy & Security Essentials
Continue Reading
January 10th, 2025HIPAA Privacy & Security
Essential Training and Awareness for Business Associates on HIPAA Security Policies
Continue Reading
December 8th, 2024HIPAA Privacy & Security
Empowering Teams Through Comprehensive HIPAA Compliance Training
Continue Reading
November 18th, 2024HIPAA Privacy & Security
Ensuring HIPAA Compliance: The Importance of Effective Training
Continue Reading
September 16th, 2024HIPAA Privacy & Security
Here’s How to Choose the Right Online HIPAA Training Program for Your Organization
Continue Reading
September 10th, 2024HIPAA Privacy & Security
Top Benefits of Comprehensive HIPAA Training for Healthcare Employees
Continue Reading
August 20th, 2024HIPAA Privacy & Security
Maximizing Savings and Compliance: HIPAA Training for Large Organizations
Continue Reading
August 16th, 2024HIPAA Privacy & Security
All You Need To Know About HIPAA Privacy and Security Awareness Training
Continue Reading
July 16th, 2024HIPAA Privacy & Security
Vital Role Of HIPAA Compliance Certification In Healthcare Industry
Continue Reading